The Hey, Scripting Guy! Blog is one of those blogs I would normally recommend to any body interested in scripting Windows. But I do have a very good reason to bump that recommendation this week just to make sure everybody following my blog do not miss that my colleague and fellow MVPNiclas Goude will be writing a couple of guest posts on The Scripting Guys blog regarding security from the 2:ndto the 6:th of July.

The certificate selection user interface in Windows supports filtering logic to provide a simplified user experience when an application presents multiple certificates. But some applications are not designed to use filtering logic (developers not aware of functionality…) or uses filters that does not provide efficient reduction of the number of certificates presented to the user making it almost impossible for a user to know witch certificate to choose unless opening the certificate and looking at the details of template name, EKU, etc.

This is particularly true when all certificates has been automatically enrolled using the same user DN/CN attribute based on the users Active Directory user object attributes. In addition to that, Autoenrollment does not support variations in certificate subject name unless using some third party policy module installed on the Active Directory Certificates Services.

Knowing that the certificate selection UI supports certificate friendly names. Setting the certificate friendly name to include information about the certificate template can simplify the users task to select the correct certificate.

Friendly names are properties in the X.509 certificate store in Windows that can be set at any time after the certificate has been created/installed in the store.

One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way:

Determine the serialnumber of the certificate where the friendly name should be changed.

Run the following command at a command-line:
certutil –repairstore –user my {SerialNumber} FriendlyName.inf

Automating the friendly name can be achieved by either automating/scripting the steps above alternatively by creating a tool that enumerates all certificates in the personal store and assign the friendly name.

A proof of concept CertFN.exe tool was created to automate the above. The tool receives a parameter for the template name to use when filtering the user store, it then sets the friendly name based on the schema “Template Name – Certificate Subject Name”

When developing Metro style apps, Network Isolation helps your product to take advantage of the isolation mechanisms that will keep the app and system secure.

The new Windows Runtime APIs enable a developer to control the security profile of an app under development. Network access is part of this application security model. Not all apps will require access to the network. However for those that do, Windows provides the appropriate level of granularity for apps to access the network securely.

With network isolation, developers can define the scope of the network access required for each process, which prevents a process without the appropriate scope from accessing the specified type of network or connection. The ability to set and enforce these boundaries ensures that compromised apps have access only to networks they have explicitly been granted access to, significantly reducing the scope of their impact in other apps or the system itself.

Download and Read more about Network Isolation for Metro style Apps http://www.microsoft.com/download/en/details.aspx?id=27534. This paper provides information about network isolation for Windows operating systems. It provides guidelines for developers to determine the network boundary that a Metro style app will operate in, and what capabilities will be necessary to access required resources.

Microsoft has published an update for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store:

CMC certificate requests are normally used in combination with EOBO enrollment (Enroll On Behalf Of) scenarios where additional enrollment agent signatures are required by the certification authority to accept and process the certificate request.

Generating and signing the CMC certificate request can either be done using the certmgr.msc MMC snap-in or scripted using the certreq.exe tool provided in the Windows platform. The procedure using certreq to generate and sign the CMC certificate request is defined by the following steps

2. Generate the initial self signed CMC certficate request using the command:

certreq.exe -new certificate_request.inf certificate_request.req

3. Sign the initial self signed CMC certficate request with the enrollment agent certificate using the command:

certreq.exe -sign certificate_request.req signed_certificate.req

4. Submit the agent signed CMC request to the enterprise CA and receive the certificate using the command:

certreq.exe -submit signed_certificate.req new_certificate.cer

The procedure described above works as expected until you try it in Windows 2008 R2 SP1 (I have not had the chans to test other versions yet) and you will get an error message at step 3 failing the agent signing.

What happens in step 3 is that the certreq tools will try to read the referenced certificate template from Active Directory and to figure out the signing requirements and it simply fails with the error message:

Certificate Request Processor: An attempt was made to perform an initialization operation when initialization has already been completed. 0x800704df (WIN32: 1247)

After struggling with my request inf file and certificate template with the same error I decided to perform the agent signing using other tools, after some research I found this very interesting MSDN article http://msdn.microsoft.com/en-us/library/ms867026.aspx about Creating Certificate Requests Using the Certificate Enrollment Control and CryptoAPI. The article looked nice with provided samples but I wanted something more simple so I ended up in this article http://technet.microsoft.com/en-us/library/ff182315(WS.10).aspx about “Create Enroll on Behalf of Another User Request”. Usingthe code from the “Create Enroll on Behalf of Another User Request” article I created the cmcSigner tool and the CMC request could be signed and the certificate issued without errors.

What if this version certreq.exe has some issue? To figure out that I decided to test the certreq -sign operation with an older version of certreq.exe so I grabbed the Windows 2003 Admin Tool Pack and extracted the certreq.exe and tested the signing step with no errors!

Conclusion: certreq.exe in some later versions has a problem performing a certificate signing operation.

Solution: use another version of certreq.exe or another tool like the cmcSigner tool

Learn how, in Windows 7, you can connect to a wireless access point in just three clicks. With this screencast from the Springboard Series IT Pro at Home: Tips and Tricks series, you’ll see how, whether you’re sitting in a coffee shop or at the airport, connecting to a wireless network is simple and easy when you’re using Windows 7. This demonstration will also go over moving between wireless networks and provide tips to help you go from home to the office using each network seamlessly.

Microsoft has released an updated version of the banned.h header file to help developers sanitizing resource which supports the SDL requirement and to remove banned functions from code. The header file simply lists all banned APIs and allows any developer to locate them in code and remove or adjust the code to be aligned with the SDL requirements.